The world’s leading electronics manufacturer Foxconn suffered a ransomware attack that encrypted more than a thousand servers and exfiltrated more than 100 GB of data. The DoppelPaymer ransomware attack occurred at a Mexican facility over Thanksgiving weekend.
Foxconn has more than 800,000 employees and annual sales of 172 billion US dollars, according to 2019 figures. Subsidiaries include Sharp, Belkin, Innolux and FIH Mobile. It also makes electronic devices for the world’s leading technology giant Apple.
DoppelPaymer cybercrime gang takes responsibility for ransomware attack
Cyber security experts believe the ransomware attack presumably took place on November 29th at the CTBG MX facility in Ciudad Juarez, Chihuahua, Mexico. The ransomware attack disrupted operations in North and South America.
Established in 2005, the 682,000 square foot facility oversees assembly and shipping operations for all products in North and South America.
The DoppelPaymer ransomware gang also took responsibility for the attack in an interview with BleepingComputer. However, the gang denied attacking the entire company and insisted that they only targeted the NA segment during the ransomware attack.
They claimed to have encrypted around 1,200 servers, exfiltrating around 100 GB of data, destroying 20-30 TB of backups in the process. The group also made it clear that they only targeted Foxconn’s servers and avoided the company’s workstations.
Foxconn’s documents were leaked online following the DoppelPaymer ransomware attack
A few days after the electronics giant suffered a ransomware attack, the DoppelPaymer ransomware gang released Foxconn’s files on an underground leak site.
The leaked files contained business documents and reports, but little financial, employee or customer information.
The release of the documents should prove the validity of the stolen data. However, Foxconn was unable to verify that the published documents were from its collection.
The DoppelPaymer ransomware gang demands a ransom payment of $ 34 million
The attackers asked for a $ 34 million ransom to decrypt the servers and prevent the stolen data from being published on the Internet.
A ransom note posted by the DoppelPaymer ransomware gang contained a link to Foxconn’s victim page instructing the company to pay for the 1804.0955 bitcoins, currently valued at $ 34,686,000.
Foxconn also admitted the attack, saying that “an information system in the US that supports some of our operations in America was the focus of a cybersecurity attack on November 29th”.
The company said it involved technical experts and law enforcement agencies in investigating the incident and arresting the suspects.
“The system affected by this incident will be thoroughly inspected and gradually put back into operation,” said Foxconn.
The DoppelPaymer ransomware gang targets around 2% of the top companies in the world. Previous victims include Banijay Group SAS, Bretagne Télécom, Compal, Endemol Shine, Hall County in Georgia, Newcastle University, PEMEX (Petróleos Mexicanos) and the city of Torrance in California.
The new normal for ransomware attacks
Chris Clements, VP of Solutions Architecture, commented on Foxconn’s DoppelPaymer ransomware attack Cerberus Guardian, says: “This is the new normal. Ransomware gangs have grown from simple “script kiddies” to hacking experts with a budget of several million dollars. “
“Unfortunately, most companies have not improved their defensive stance in a comparable way, and many even lack the basic security and surveillance functions to combat these seasoned adversaries,” commented Clements.
Clements also found that traditional security mechanisms such as firewalls and antivirus programs were ineffective against modern threats.
“The days of simply installing antivirus and firewall to protect companies are long gone. It is too easy to get a phishing email through spam filters that contain an attachment that is disguised so that the embedded exploit code is not intercepted by antivirus programs. “
He recommended the introduction of a “security culture that begins with the management” that prioritizes system and data security.
“Security awareness training on phishing email detection and information security best practices is a critical part of an effective security program, but it’s only the first step,” continued Clements. “An enterprise-wide convergence on information security best practices and the ability to spot suspicious behavior from cyber criminals or trusted insiders are essential to contain costly security breaches.”
James McQuiggan, Security Awareness Attorney, KnowBe4, says ransom demands have increased over the years.
“Usually they target about one to two percent of the company’s total profit, but the asking amount is lower. 34 million out of $ 172 billion is not a small amount, but by and large it is undoubtedly payable. “
McQuiggan says companies should have offline backups to avoid lost productivity. In addition, such backups increase recovery speed when criminal gangs encrypt computer systems and delete backups during a ransomware attack.